feat: Admin Operations SIEM — alerts, notifications, pre-built rules
- Add pluggable notification system (webhook, Slack, Teams) with retry
- Add alert deduplication: same rule + actor within 15 min = one alert
- Add 10 pre-built admin-ops rule templates seeded on startup:
- Failed Conditional Access, After-Hours Admin Activity
- New Application Registration, Admin Role Assignment
- License Change, Bulk User Deletion
- Device Compliance Failure, Exchange Transport Rule Change
- Service Principal Credential Added, External Sharing Enabled
- Add /api/alerts, /api/alerts/{id}/status, /api/alerts/summary endpoints
- Add alert dashboard to frontend with status filters and ack/resolve buttons
- Add alert summary badge in hero header (high/medium/low counts)
- New env vars: ALERT_WEBHOOK_URL, ALERT_WEBHOOK_FORMAT, ALERT_DEDUPE_MINUTES
This commit is contained in:
@@ -58,6 +58,12 @@ REDIS_URL=redis://localhost:6379/0
|
||||
# UI default page size (number of events shown per page)
|
||||
DEFAULT_PAGE_SIZE=24
|
||||
|
||||
# Alert notifications (optional)
|
||||
# Send triggered admin-ops alerts to a webhook (Slack, Teams, or generic)
|
||||
ALERT_WEBHOOK_URL=
|
||||
ALERT_WEBHOOK_FORMAT=generic # generic | slack | teams
|
||||
ALERT_DEDUPE_MINUTES=15
|
||||
|
||||
# Optional: privacy / access control
|
||||
# Hide entire services from users without PRIVACY_SERVICE_ROLES
|
||||
# PRIVACY_SERVICES=Exchange,Teams
|
||||
|
||||
Reference in New Issue
Block a user